[Dshield] Possible solution for ISP (was DShield's public goals)

Tom dshield at oitc.com
Fri Jan 13 13:28:46 GMT 2006


Not if they apply good statistical analysis to the data.  They data 
really contains no "false positives" only false implication of 
intent. The fact that there was a connection/connection 
attempt/probes/etc on a port is a fact. Determining that it was not 
done by mistake (such as a browser user typing http://domian.com:7990 
instead of of http://domain.com:8080 due to typos) is a separate 
issue.  Good statistical analysis of the raw data can allow a network 
owner to find the bad and find those users that are never practicing 
safe computing and constantly being reinfected and causing problems 
from the typos and one off port scans.

Tom

At 7:07 AM -0500 1/13/06, Ed Truitt wrote:
>And what do you use as the criteria for determing the validity of a 
>report?  For example, we know that the DShield database is an 
>excellent source on who is 'attacking' others - but we also know 
>(cuz Johannes tells us so) that it is full of 'false positives' - 
>which he won't clear out.  Well, I can see some ISP deciding to use 
>DShield as a way to determine 'bad users' within their IP space, 
>along with other data sources, and the problems it would cause.
>
>And remember, people don't get on the TSA's list for no reason (OK, 
>maybe they do... Bad example). However, those names proibably didn't 
>materialize out of thin air - there was a criteria used for putting 
>them on the list, strange as it may seem.  Do you really think the 
>ISPs would do a better job of managing a list than the folks at 
>TSA/DHS/FBI/ whoever?
>
>-EdTr
>-----Original Message-----
>From: Laura Vance <vancel at winfreeacademy.com>
>Date: Thu, 12 Jan 2006 11:19:23
>To:General DShield Discussion List <list at lists.dshield.org>
>Subject: Re: [Dshield] Possible solution for ISP (was DShield's public goals)
>
>Ed Truitt wrote:
>
>>This database of 'bad' users sounds a LOT like the TSA's "no fly" 
>>list -- and there is some concern about how that is working out 
>>(more than concern if you have to undergo a cavity search every 
>>time you fly, because you happen to share a name with some 
>>maybe-terrorist.). The maintainability problems of this proposed 
>>list appear to be similar - who vets the names? How does one ever 
>>get off the list?
>>
>>Cheers,
>>-E D Truitt
>> 
>>
>I mentioned these in the initial suggestion.
>
>First concern is that this one doesn't try to pre-determine if someone
>is bad.  The TSA tries to determine evil-doers before they do evil. 
>This suggestion only flags people that have already gotten infected. 
>Only after either the ISP notices it, or if someone reports that user to
>the ISP.  It doesn't punish someone for what they *might* do, only for
>what they just did.
>
>Second concern is who keeps track of it.  All ISP's would enter the
>names as they get blocked.  It's just a central computer running a
>system that ISPs simply log into to add or check names (or some other
>uniquely identifiable information).  The ISP adds names as they get
>infected/blocked, and the ISP can unflag them when they have met the
>criteria for removal.  Every ISP would have the same ability to do this,
>because the list would be available to all ISPs.  It could maybe even
>track which ISPs users have used... track user migration from ISP to ISP
>so the ISP's know what to do to attract more customers... but that's not
>the focus of this particular system.
>
>Third concern about how do they get off the list.  If you are flagged as
>bad or blocked (however the term will be), you take your computer to an
>authorized place (or maybe even geeks on call could do it).  There would
>be specific companies that are authorized to certify that a computer has
>been cleaned and an attempt has been made to educate the owner.  The
>owner then sends this via fax (or postal service) to the ISP, or the
>company that repaired it faxes it to the ISP and viola, the user is back
>online.
>
>Something that would be good is if once someone has been educated, it
>goes on their record as a good mark, and then everyone will know that
>Joe Blow has passed training on how to keep his computer safe, so he may
>get preferential treatment at future ISPs... but that's getting ahead of
>myself.
>--
>
>Thanks,
>Laura Vance
>Systems Engineer
>Winfree Academy Charter Schools
>
>
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list
>
>Cheers,
>-E D Truitt
>
>Sent via my BlackBerry from Cingular Wireless
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list


-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
skype: trshaw


More information about the list mailing list